08/09/2023-08/16/2023 New Python URL Parsing Flaw, 16 New CODESYS SDK Flaws, .NET Vulnerability And More.

1. Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability

Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access. CVE-2023-3519 refers to a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could lead to unauthenticated remote code execution. It was patched by Citrix last month. The development comes a week after the Shadowserver Foundation said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and the flaw is being abused to drop PHP web shells on vulnerable servers for remote access. 

2. New Python URL Parsing Flaw Could Enable Command Execution Attacks

A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution.
urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS score of 7.5. CVE-2023-24329 arises as a result of a lack of input validation, thereby leading to a scenario where it’s possible to get around blocklisting methods by supplying a URL that starts with blank characters (e. g., “ https://youtube[.]com‘).

3. North Korean Hackers Suspected in New Wave of Malicious npm Packages

The npm package registry faces a new targeted attack campaign, mirroring a previous North Korean-linked incident. Around nine malicious packages were uploaded between August 9 and 12, 2023, suggesting a sophisticated and socially engineered attack. Initial execution is triggered by a postinstall hook in the package.json file, launching a pm2-dependent daemon process to run a spoofed RustDesk domain, initiating encrypted communication with a remote server. The malware awaits further instructions every 45 seconds, controlled by monitoring machine GUIDs. This development coincides with a typosquat Ethereum package, GDPR issues from the Moq NuGet package’s recent versions, and a rising susceptibility to dependency confusion attacks, highlighting increased supply chain vulnerabilities.
As mitigations against dependency confusion attacks, it’s recommended to publish internal packages under organization scopes and reserve internal package names in the public registry as placeholders to prevent misuse.

4. Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk

CyberPower’s PowerPanel Enterprise DCIM and Dataprobe’s iBoot PDU exhibit serious vulnerabilities (CVE-2023-3259 through CVE-2023-3267) with scores ranging from 6.7 to 9.8. These flaws enable unauthorized entry, allowing attackers to shut down data centers, breach data, and launch large-scale attacks. Exploiting these could cause catastrophic damage and grant complete system access. These vulnerabilities have been fixed in PowerPanel Enterprise 2.6.9 and Dataprobe iBoot PDU 1.44.08042023 versions. Threat actors could employ these issues to cripple critical infrastructure, perpetrate ransomware, DDoS, or wiper attacks, and engage in cyber espionage. The interconnected nature of modern systems makes prompt security measures crucial to prevent potential breaches and attacks.

5. Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce websites utilizing Adobe’s Magento 2 software are under an ongoing attack named Xurum by Akamai, traced back to Russian actors. Leveraging a patched security flaw (CVE-2022-24086), the attackers aim for arbitrary code execution. The campaign’s scale is uncertain, but it focuses on recent payment data from the past 10 days. Compromised sites host a web shell called wso-ng, activated by a specific cookie, exfiltrating sales order payment methods. A rogue admin user “mageworx” or “mageplaza” is added to disguise their actions. This meticulous attack exhibits expertise in Magento, indicating a deliberate and targeted effort, distinct from widespread exploits.

6. 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks

A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.

The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS). The remote code execution bugs  could be abused to backdoor OT devices and interfere with the functioning of programmable logic controllers (PLCs) in a manner that could pave the way for information theft. To get past the user authentication barrier, a known vulnerability (CVE-2019-9013, CVSS score: 8.8) is employed to steal credentials by means of a replay attack against the PLC, followed by leveraging the flaws to trigger a buffer overflow and gain control of the device.

7. CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio. While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction. Affected versions of the software include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.